Aztec Network suffered losses of over 2.15 million dollars due to a mismatch between ZK proofs and L1 settlement boundaries
According to analysis by BlockSec Phalcon (@Phalcon_xyz), the RollupProcessorV3 contract of Aztec Network was attacked, resulting in losses exceeding $2.15 million. The root cause was that numRealTxs was not effectively bound to the transaction set enforced by the ZK proof, leading to discrepancies in the proof verification path and the L1 settlement logic's interpretation of the transaction list.The attacker exploited this vulnerability to move real deposits to slots not processed by the settlement logic, bypassing the decreasePendingDepositBalance() function, creating unsecured private balances out of thin air, and then withdrawing through the normal settlement process, involving a total of seven assets.
